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CNJ ■ Abstract 

^ ' Self-stabilization is a versatile approach to fault-tolerance since it permits a distributed 

system to recover from any transient fault that arbitrarily corrupts the contents of all memories 
in the system. Byzantine tolerance is an attractive feature of distributed systems that permits 
to cope with arbitrary malicious behaviors. 

We consider the well known problem of constructing a maximum metric tree in this context. 
Combining these two properties is known to induce many impossibility results. In this paper, 
we provide two necessary conditions to construct maximum metric tree in presence of transients 
and (permanent) Byzantine faults. 



1 Introduction 



The advent of ubiquitous large-scale distributed systems advocates that tolerance to various kinds of 
faults and hazards must be included from the very early design of such systems. Self- stabilization [21 
[3l [15] is a versatile technique that permits forward recovery from any kind of transient faults, 
while Byzantine Fault-tolerance [TT] is traditionally used to mask the effect of a limited number 
of malicious faults. Making distributed systems tolerant to both transient and malicious faults is 
^ appealing yet proved difficult [H [H Q3] as impossibility results are expected in many cases. 
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Related Works A promizing path towards multitolerance to both transient and Byzantine faults 
is Byzantine containment. For local tasks (i.e. tasks whose correctness can be checked locally, such 
^ \ as vertex coloring, link coloring, or dining philosophers), the notion of strict stabilization was 

proposed [141 113j . Strict stabilization guarantees that there exists a containment radius outside 
which the effect of permanent faults is masked, provided that the problem specification makes it 
possible to break the causality chain that is caused by the faults. As many problems are not local, it 
turns out that it is impossible to provide strict stabilization for those. To circumvent impossibility 
results, the weaker notion of strong stabilization was proposed [121 [7]: here, correct nodes outside 
the containment radius may be perturbated by the actions of Byzantine node, but only a finite 
number of times. 

Recently, the idea of generalizing strict and strong stabilization to an area that depends on the 
graph topology and the problem to be solved rather than an arbitrary fixed containment radius was 
proposed [6] and denoted by topology aware strict (and strong) stabilization. When maximizable 
metric trees are considered, [5] proposed an optimal (with respect to impossibility results) protocol 
for topology-aware strict stabilization, and for the simpler case of breath-first-search metric trees, 
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[6] presented a protocol that is optimal both with respect to strict and strong variants of topology- 
aware stabilization. The case of optimality for topology-aware strong stabilization in the general 
maximal metric case remains open. 

Our Contribution In this paper, we investigate the possibility of topology- aware strong sta- 
bilization for tasks that are global (i.e. for with there exists a causality chain of size r, where 
r depends on n the size of the network), and focus on the maximum metric tree problem. In 
more details, we provide two necessary conditions to perform Byzantine containment for maximum 
metric tree construction. First, we characterize a specific class of maximizable metrics (which 
includes breath-first-search and shortest path metrics) that prevents the exitence of strong stabi- 
lizing solutions. Then, we generalize an impossibilty result of [6] that provides a lower bound on 
the containmemt area for topology-aware strong stabilization. 

2 Model and Definitions 

2.1 State Model 

A distributed system S = (P,L) consists of a set P = {v i, V2, ■ ■ ■ , v n } of processes and a set L 
of bidirectional communication links (simply called links). A link is an unordered pair of distinct 
processes. A distributed system S can be regarded as a graph whose vertex set is P and whose 
link set is L, so we use graph terminology to describe a distributed system S. We use the following 
notations: n = \P\, m = \L\ and d(u,v) denotes the shortest path between two processes u and v 
(i.e the length of the shortest path between u and v). 

Processes u and v are called neighbors if (u, v) £ L. The set of neighbors of a process v is 
denoted by N v . We do not assume existence of a unique identifier for each process. Instead we 
assume each process can distinguish its neighbors from each other by locally labelling them. 

In this paper, we consider distributed systems of arbitrary topology. We assume that a single 
process is distinguished as a root, and all the other processes are identical. We adopt the shared 
state model as a communication model in this paper, where each process can directly read the 
states of its neighbors. 

The variables that are maintained by processes denote process states. A process may take 
actions during the execution of the system. An action is simply a function that is executed in an 
atomic manner by the process. The action executed by each process is described by a finite set 
of guarded actions of the form (guard) — > (statement). Each guard of process u is a boolean 
expression involving the variables of u and its neighbors. 

A global state of a distributed system is called a configuration and is specified by a product 
of states of all processes. We define C to be the set of all possible configurations of a distributed 
system S. For a process set R C P and two configurations p and p', we denote p A p' when p 
changes to p' by executing an action of each process in R simultaneously. Notice that p and p' 
can be different only in the states of processes in R. For completeness of execution semantics, we 
should clarify the configuration resulting from simultaneous actions of neighboring processes. The 
action of a process depends only on its state at p and the states of its neighbors at p, and the result 
of the action reflects on the state of the process at p' . 

We say that a process is enabled in a configuration p if the guard of at least one of its actions 
is evaluated as true in p. 

A schedule of a distributed system is an infinite sequence of process sets. Let Q = R ,R 
be a schedule, where R l C P holds for each i (i > 1). An infinite sequence of configurations 
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e = po,pi, ■ ■ ■ is called an execution from an initial configuration po by a schedule Q, if e satisfies 

i — y pi for each i (i > 1). Process actions are executed atomically, and we distinguish some 
properties on the scheduler (or daemon). A distributed daemon schedules the actions of processes 
such that any subset of processes can simultaneously execute their actions. We say that the daemon 
is central if it schedules action of only one process at any step. The set of all possible executions 
from po G C is denoted by E po . The set of all possible executions is denoted by E, that is, 
E = [j peC E p . We consider asynchronous distributed systems where we can make no assumption 
on schedules. 

In this paper, we consider (permanent) Byzantine faults: a Byzantine process (i.e. a Byzantine- 
faulty process) can make arbitrary behavior independently from its actions. If v is a Byzantine 
process, v can repeatedly change its variables arbitrarily. For a given execution, the number of 
faulty processes is arbitrary but we assume that the root process is never faulty. 

2.2 Self-Stabilizing Protocols Resilient to Byzantine Faults 

Problems considered in this paper are so-called static problems, i.e. they require the system to 
find static solutions. For example, the spanning-tree construction problem is a static problem, 
while the mutual exclusion problem is not. Some static problems can be defined by a specification 
predicate (shortly, specification), spec(v), for each process v: a configuration is a desired one (with 
a solution) if every process satisfies spec(v). A specification spec(v) is a boolean expression on 
variables of P v (C P) where P v is the set of processes whose variables appear in spec(v). The 
variables appearing in the specification are called output variables (shortly, O-variables). In what 
follows, we consider a static problem defined by specification spec(v). 

A self- stabilizing protocol ([2]) is a protocol that eventually reaches a legitimate configuration, 
where spec(v) holds at every process v, regardless of the initial configuration. Once it reaches a 
legitimate configuration, every process never changes its O-variables and always satisfies spec(v). 
From this definition, a self-stabilizing protocol is expected to tolerate any number and any type 
of transient faults since it can eventually recover from any configuration affected by the transient 
faults. However, the recovery from any configuration is guaranteed only when every process cor- 
rectly executes its action from the configuration, i.e., we do not consider existence of permanently 
faulty processes. 

When (permanent) Byzantine processes exist, Byzantine processes may not satisfy spec(v). In 
addition, correct processes near the Byzantine processes can be influenced and may be unable to 
satisfy spec(v). Nesterenko and Arora [13] define a strictly stabilizing protocol as a self-stabilizing 
protocol resilient to unbounded number of Byzantine processes. 

Given an integer c, a c- correct process is a process defined as follows. 

Definition 1 (c-correct process) A process is c-correct if it is correct (i.e. not Byzantine) and 
located at distance more than c from any Byzantine process. 

Definition 2 ((c, /)-containment) A configuration p is (c, /)-contained for specification spec if, 
given at most f Byzantine processes, in any execution starting from p, every c-correct process v 
always satisfies spec(v) and never changes its O-variables. 

The parameter c of Definition [2] refers to the containment radius defined in p3] . The parameter 
/ refers explicitly to the number of Byzantine processes, while [14] dealt with unbounded number 
of Byzantine faults (that is / € {0 . . . n}). 
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Definition 3 ((c, /)-strict stabilization) A protocol is (c, /)-strictly stabilizing for specification 
spec if, given at most f Byzantine processes, any execution e = po,pi, ■■■ contains a configuration 
Pi that is (c, f)-contained for spec. 

An important limitation of the model of [14] is the notion of r-restrictive specifications. In- 
tuitively, a specification is r-restrictive if it prevents combinations of states that belong to two 
processes u and v that are at least r hops away. An important consequence related to Byzantine 
tolerance is that the containment radius of protocols solving those specifications is at least r. For 
some (global) problems r can not be bounded by a constant. In consequence, we can show that 
there exists no (c, l)-strictly stabilizing protocol for such a problem for any (finite) integer c. 

Strong stabilization To circumvent such impossibility results, [7] defines a weaker notion than 
the strict stabilization. Here, the requirement to the containment radius is relaxed, i.e. there may 
exist processes outside the containment radius that invalidate the specification predicate, due to 
Byzantine actions. However, the impact of Byzantine triggered action is limited in times: the set of 
Byzantine processes may only impact processes outside the containment radius a bounded number 
of times, even if Byzantine processes execute an infinite number of actions. 

In the following of this section, we recall the formal definition of strong stabilization adopted in 
[7]. From the states of c-correct processes, c-legitimate configurations and c-stable configurations 
are defined as follows. 

Definition 4 (c-legitimate configuration) A configuration p is c-legitimate for spec if every 
c-correct process v satisfies spec(v). 

Definition 5 (c-stable configuration) A configuration p is c-stable if every c-correct process 
never changes the values of its O-variables as long as Byzantine processes make no action. 

Roughly speaking, the aim of self-stabilization is to guarantee that a distributed system even- 
tually reaches a c-legitimate and c-stable configuration. However, a self-stabilizing system can be 
disturbed by Byzantine processes after reaching a c-legitimate and c-stable configuration. The 
c- disruption represents the period where c-correct processes are disturbed by Byzantine processes 
and is defined as follows 

Definition 6 (c-disruption) A portion of execution e = po,pi, ■ ■ ■ , pt (t > 1) is a c-disruption if 
and only if the following holds: 

1. e is finite, 

2. e contains at least one action of a c-correct process for changing the value of an O-variable, 

3. po is c-legitimate for spec and c-stable, and 

4- pt is the first configuration after po such that p t is c-legitimate for spec and c-stable. 

Now we can define a self-stabilizing protocol such that Byzantine processes may only impact 
processes outside the containment radius a bounded number of times, even if Byzantine processes 
execute an infinite number of actions. 

Definition 1 ((t, k, c, /)-time contained configuration) A configuration po is (t,k,c, f)-time 
contained for spec if given at most f Byzantine processes, the following properties are satisfied: 
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1. po is c-legitimate for spec and c- stable, 

2. every execution starting from po contains a c-legitimate configuration for spec after which the 
values of all the O-variables of c- correct processes remain unchanged (even when Byzantine 
processes make actions repeatedly and forever), 

3. every execution starting from po contains at most t c- disruptions, and 

4- every execution starting from po contains at most k actions of changing the values of O- 
variables for each c-correct process. 

Definition 8 ((£, c, /)-strongly stabilizing protocol) A protocol A is (t,c, f) -strongly stabiliz- 
ing if and only if starting from any arbitrary configuration, every execution involving at most f 
Byzantine processes contains a (t, k, c, f)-time contained configuration that is reached after at most 
I rounds. Parameters I and k are respectively the (t,c, f) -stabilization time and the (t,c, f) -process- 
disruption times of A. 

Note that a (t, k, c, /)-time contained configuration is a (c, /^-contained configuration when 
t = k = 0, and thus, (t, k, c, /)-time contained configuration is a generalization (relaxation) of 
a (c, /)-contained configuration. Thus, a strongly stabilizing protocol is weaker than a strictly 
stabilizing one (as processes outside the containment radius may take incorrect actions due to 
Byzantine influence). However, a strongly stabilizing protocol is stronger than a classical self- 
stabilizing one (that may never meet their specification in the presence of Byzantine processes) . 

The parameters t, k and c are introduced to quantify the strength of fault containment, we do 
not require each process to know the values of the parameters. 

Topology-aware Byzantine resilience We saw previously that there exist a number of impos- 
sibility results on strict stabilization due to the notion of r-restrictives specifications. To circumvent 
this impossibility result, we describe here another weaker notion than the strict stabilization: the 
topology- aware strict stabilization (denoted by TA strict stabilization for short) introduced by [5]. 
Here, the requirement to the containment radius is relaxed, i.e. the set of processes which may 
be disturbed by Byzantine ones is not reduced to the union of c-neighborhood of Byzantine pro- 
cesses (i.e. the set of processes at distance at most c from a Byzantine process) but can be defined 
depending on the graph topology and Byzantine processes location. 

In the following, we give formal definition of this new kind of Byzantine containment. From 
now, B denotes the set of Byzantine processes and Sb (which is function of B) denotes a subset of 
V (intuitively, this set gathers all processes which may be disturbed by Byzantine processes). 

Definition 9 (S^-correct node) A node is Sg-correct if it is a correct node (i.e. not Byzantine) 
which not belongs to Sb- 

Definition 10 (S^-legitimate configuration) A configuration p is ^-legitimate for spec if ev- 
ery SB-correct node v is legitimate for spec (i.e. if spec(v) holds). 

Definition 11 ((Sb, /)-topology-aware containment) A configuration po is (Sb, /^-topology- 
aware contained for specification spec if, given at most f Byzantine processes, in any execution 
e = po,pi, ■ ■ ., every configuration is S b -legitimate and every SB-correct process never changes its 
O-variables. 
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The parameter Sb of Definition [TT] refers to the containment area. Any process which belongs 
to this set may be infinitely disturbed by Byzantine processes. The parameter / refers explicitly 
to the number of Byzantine processes. 

Definition 12 ((Sb, /)-topology-aware strict stabilization) A protocol is (Sb, /^topology- 
aware strictly stabilizing for specification spec if, given at most f Byzantine processes, any execution 
e = po, pi, . . . contains a configuration pi that is (Sb, f) -topology- aware contained for spec. 

Note that, if B denotes the set of Byzantine processes and Sb = lv E V\min (d(v,b)) < cX, 

then a (Sb, /)-topology-aware strictly stabilizing protocol is a (c, /)-strictly stabilizing protocol. 
Then, the concept of topology-aware strict stabilization is a generalization of the strict stabilization. 
However, note that a TA strictly stabilizing protocol is stronger than a classical self-stabilizing 
protocol (that may never meet their specification in the presence of Byzantine processes). The 
parameter Sb is introduced to quantify the strength of fault containment, we do not require each 
process to know the actual definition of the set. 

Similarly to topology-aware strict stabilization, we can weaken the notion of strong stabilization 
using the notion of containment area. This idea was introduced by [6]. We recall in the following 
the formal definition of this concept. 

Definition 13 (S^-stable configuration) A configuration p is Sb -stable if every SB-correct pro- 
cess never changes the values of its O-variables as long as Byzantine processes make no action. 

Definition 14 (5^-TA-disruption) A portion of execution e = po, p\, . . . , p% (t > 1) is a Sb- 

TA-disruption if and only if the followings hold: 

1. e is finite, 

2. e contains at least one action of a SB-correct process for changing the value of an O-variable, 

3. po is SB-legitimate for spec and SB-stable, and 

4- pt is the first configuration after po such that pt is SB-legitimate for spec and Sb -stable. 

Definition 15 ((t,k, Sb, /)-TA time contained configuration) A configuration po is (t,k,Ss, 
f)-TA time contained for spec if given at most f Byzantine processes, the following properties are 
satisfied: 

1. po is SB-Legitimate for spec and Ss-stable, 

2. every execution starting from po contains a SB-legitimate configuration for spec after which 
the values of all the O-variables of Sb -correct processes remain unchanged (even when Byzan- 
tine processes make actions repeatedly and forever), 

3. every execution starting from po contains at most t Sb-TA -disruptions, and 

4- every execution starting from po contains at most k actions of changing the values of O- 
variables for each SB-correct process. 

Definition 16 ((t, Sb, /)-TA strongly stabilizing protocol) A protocol A is (t, Sb, f)-TA 

strongly stabilizing if and only if starting from any arbitrary configuration, every execution involv- 
ing at most f Byzantine processes contains a (t,k, Sb, f)-TA-time contained configuration that is 
reached after at most I actions of each SB-correct node. Parameters I and k are respectively the 
(t, Sb, f) -stabilization time and the (t, Sb, f) -process- disruption time of A. 
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3 Maximum Metric Tree Construction 



3.1 Definition and Specification 

In this work, we deal with maximum (routing) metric trees as defined in [9]. Informally, the goal 
of a routing protocol is to construct a tree that simultaneously maximizes the metric values of all 
of the nodes with respect to some total ordering -<. In the following, we recall all definitions and 
notations introduced in [9]. 

Definition 17 (Routing metric) A routing metric (or just metric,) is a five-tuple (M,W,met,mr, 
-<) where: 

1. M is a set of metric values, 

2. W is a set of edge weights, 

3. met is a metric function whose domain is M x W and whose range is M, 

4- mr is the maximum metric value in M with respect to -< and is assigned to the root of the 



5. -< is a less-than total order relation over M that satisfies the following three conditions for 
arbitrary metric values m, m' , and m" in M: 

(a) irreflexivity: m-fim, 

(b) transitivity : if m -< m! and m! ~< m" then m -< m" , 

(c) totality: m -< m' or m! -< m or m = m' . 

Any metric value m E M \ {mr} satisfies the utility condition (that is, there exist wq, . . . , w^-i in 
W and mo = mr, mi, . . . , m^-i, = m in M such that Mi £ {1, . . . , k}, mi = met(mj_i, lOj-i) )■ 

For instance, we provide the definition of four classical metrics with this model: the shortest 
path metric (SV), the flow metric (J 7 ), and the reliability metric (IV). Note also that we can 
modelise the construction of a spanning tree with no particular constraints in this model using the 
metric AfC described below and the construction of a BFS spanning tree using the shortest path 
metric (SV) with W\ = {1} (we denoted this metric by BFS in the following). 



system 



SV 
where 



(Mi , W\ , meti , mri , -<i) 



T 

where 



(M 2 , W 2 , met 2 , mr 2 , ^2) 
mr 2 € N 

M 2 = {0,...,mr 2 } 
W 2 = {0, . . . ,mr 2 } 
met 2 (m,w) = min{m,w} 
-< 2 is the classical < relation 



Mi = N 
Wi = N 



meti (m,w) = m + w 
mr\ = 

-<i is the classical > relation 



where 



n = (M 3 ,W 3 ,met 3 ,mr 3 ,^ 3 ) 




MC 
where 



M 4 = {0} 
W A = {0} 



(M4, W4, meti, mr^, ^4) 



meti(m, w) = 
mr4 = 

^4 is the classical < relation 
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Definition 18 (Assigned metric) An assigned metric over a system S is a six-tuple (M, W, met, 
mr, -<, wf) where (M, W, met, mr, -<) is a metric and wf is a function that assigns to each edge of 
S a weight in W. 

Let a rooted path (from v) be a simple path from a process v to the root r. The next set of 
definitions are with respect to an assigned metric (M, W, met, mr, -<, wf) over a given system S. 

Definition 19 (Metric of a rooted path) The metric of a rooted path in S is the prefix sum 
of met over the edge weights in the path and mr. 

For example, if a rooted path p in S is vt, ■ ■ ■ , vq with vq = r, then the metric of p is m^ = 
met(mk_i,wf({vk,Vk-i}) with Vi G {1, . . . , k — 1}, rrtj = met(m,i-i, wf({vi, and mo = mr. 

Definition 20 (Maximum metric path) A rooted path p from v in S is called a maximum 
metric path with respect to an assigned metric if and only if for every other rooted path q from v 
in S, the metric of p is greater than or equal to the metric of q with respect to the total order -<. 

Definition 21 (Maximum metric of a node) The maximum metric of a node v ^ r (or simply 
metric value of v) in S is defined by the metric of a maximum metric path from v. The maximum 
metric of r is mr. 

Definition 22 (Maximum metric tree) A spanning tree T of S is a maximum metric tree with 
respect to an assigned metric over S if and only if every rooted path in T is a maximum metric 
path in S with respect to the assigned metric. 

The goal of the work of [9] is the study of metrics that always allow the construction of a 
maximum metric tree. More formally the definition follows. 

Definition 23 (Maximizable metric) A metric is maximizable if and only if for any assign- 
ment of this metric over any system S, there is a maximum metric tree for S with respect to the 
assigned metric. 

Given a maximizable metric M. = (M,W,mr,met, -<), the aim of this work is to study the 
construction of a maximum metric tree with respect to M which spans the system in a self- 
stabilizing way in a system subject to permanent Byzantine failures. It is obvious that these 
Byzantine processes may disturb some correct processes. It is why we relax the problem in the 
following way: we want to construct a maximum metric forest with respect to M. The root of any 
tree of this forest must be either the real root or a Byzantine process. 

Each process v has two O- variables: a pointer to its parent in its tree (prnt v E N v U {J-}) and a 
level which stores its current metric value (level v € M). Obviously, Byzantine process may disturb 
(at least) their neighbors. We use the following specification of the problem. 

We introduce new notations as follows. Given an assigned metric (M, W, met, mr, -<, wf) over 
the system S and two processes u and v, we denote by fi(u, v) the maximum metric of node u when 
v plays the role of the root of the system. If u and v are neighbors, we denote by w U)V the weight 
of the edge {u,v} (that is, the value of wf({u,v})). 

Definition 24 (A4-path) Given an assigned metric A4 = (M,W,mr,met, -<,wf) over a system 
S, a path (vq, . . . ,Vk) (k > 1) of S is a .M-path if and only if: 

1. prnt vo = _L, level vo = 0, and vq G B U {r}, 
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2. Mi £ {1, . . . , k},prnt. 



Vi-\ and level 



met (lev el 



5. Vz G {1, . . . , k}, met(level 



Vi-l ) 



) = max^{met(level u , w VuU )} , and 

u£N v 



4. level Vk = fj,(v k ,v ). 

We define the specification predicate spec(v) of the maximum metric tree construction with 
respect to a maximizable metric M as follows. 



3.2 Previous results 

In this section, we summarize known results about maximum metric tree construction. The first 
interesting result about maximizable metrics is due to [9] that provides a fully characterization of 
maximizable metrics as follow. 

Definition 25 (Boundedness) A metric (M,W,met,mr, -<) is bounded if and only if: Mm € 
M, Mw € W, met(m, w) < m or met(m, w) = m 

Definition 26 (Monotonicity) A metric (M,W,met,mr, -<) is monotonic if and only if: M(m, 
m') £ M 2 ,Vu> dW,m<m'^> (met(m,w) -< met(m',w) or met(m,w) = met(m',w)) 

Theorem 1 (Characterization of maximizable metrics |9j) A metric is maximizable if and 
only if this metric is bounded and monotonic. 

Secondly, [5j provides a self-stabilizing protocol to construct a maximum metric tree with respect 
to any maximizable metric. Now, we focus on self-stabilizating solutions resilient to Byzantine 
faults. Following discussion of Section 2, it is obvious that there exists no strictly stabilizing 
protocol for this problem. If we consider the weaker notion of topology-aware strict stabilization, 
[5] defines the best containment HI OH HS '. 



Intuitively, Sb gathers correct processes that are closer (or at equal distance) from a Byzantine 
process than the root according to the metric. Moreover, [5] proves that the algorithm introduced 
for the maximum metric spanning tree construction in [8] performed this optimal containment area. 
More formally, [5] proves the following results. 

Theorem 2 (|5J) Given a maximizable metric Ai = (M,W,mr,met,-<), even under the central 
daemon, there exists no (A b,1)-TA- strictly stabilizing protocol for maximum metric spanning tree 
construction with respect to A4 where As £ Sb- 

Theorem 3 (|5j) Given a maximizable metric Ai = (M,W,mr,met, -<), the protocol of fS^ is a 
(SB,n — 1)-TA strictly stabilizing protocol for maximum metric spanning tree construction with 
respect to A4. 

Some others works try to circumvent the impossibility result of strict stabilization using the 
concept ot strong stabilization but do not provide results for any maximizable metric. Indeed, [7] 
proves the following result about spanning tree. 




prnt v = A- and level v = if v is the root r 

there exists a 7W-path (vq, . . . ,Vk) such that v k = v otherwise 



Sb = {v € V \ B \n(v, r) < max^{/j.(v, b), b € B} } \ {r} 
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Theorem 4 (|7J) There exists a (t, 0, n — 1)- strongly stabilizing protocol for maximum metric span- 
ning tree construction with respect to AfC ( that is, for a spanning tree with no particular constraints ) 
with a finite t. 

On the other hand, regarding BFS spanning tree construction, [6] proved the following impos- 
sibility result. 

Theorem 5 (|6j) Even under the central daemon, there exists no (i, c, 1) -strongly stabilizing pro- 
tocol for maximum metric spanning tree construction with respect to BJ-S where t and c are two 
finite integers. 

These two results motivate our result related to strong stabilization in the general case (see Sec- 
tion 4.1) that proves a necessary condition on the maximizable metric to allow strong stabilization. 
Now, if we focus on topology- aware strong stabilization, [6] proved the following results. 

Theorem 6 ([6]) Even under the central daemon, there exists no (t, A* B , 1)-TA strongly stabilizing 
protocol for maximum metric spanning tree construction with respect to BJ-S where A* B £ {v € 
V\min(d(v,b)) < d(r,v)} and t is a finite integer. 

b£B 

Theorem 7 ([6]) The protocol of 11 Of is a (t, S B ,n — 1)-TA strongly stabilizing protocol for max- 
imum metric spanning tree construction with respect to BJ-S where t is a finite integer and S B = 
{v £ V\min(d(v,b)) < d(r,v)}. 

In the following, we generalize the Theorem [6] to any maximizable metric (see Section 4.2). 

4 Necessary conditions 

In this section, we provide our necessary conditions about containment radius (respectively area) 
of any strongly stabilizing (respectively TA strongly stabilizing) protocol for the maximum metric 
tree construction. 

4.1 Strong Stabilization 

We introduce here some new definitions to characterize some important properties of maximizable 
metrics that are used in the following. 

Definition 27 (Strictly decreasing metric) A metric Ai = (M,W,mr,met, -<) is strictly de- 
creasing if, for any metric value m £ M , the following property holds: either \/w € W, met(m, w) -< 
m or \/w € W, met(m, w) = m. 

Definition 28 (Fixed point) A metric value m is a fixed point of a metric Ai = (M, W, mr, met, -< 
) if m € M and if for any value w € W, we have: met{m,w) = m. 

Then, we define a specific class of maximizable metrics and we prove that it is possible to 
construct a maximum metric tree in a strongly-stabilizing way only if we consider such a metric. 

Definition 29 (Strongly maximizable metric) A maximizable metric M = (M, W, mr, met, -< 
) is strongly maximizable if and only if \M\ = 1 or if the following properties holds: 
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• \M\ > 2, 

• M. is strictly decreasing, and 

• A4 has one and only one fixed point. 

Note that AfC is a strongly maximizable metric (since \M^\ = 1) whereas BJ-S or SV are not 
(since the first one has no fixed point, the second is not strictly decreasing). If we consider the 
metric MET defined below, we can show that MET is a strongly maximizable metric such that 
|M| > 2. 

MET = (M 5 ,W 5 ,met 5 ,mr 5 ,^ 5 ) 
where M 5 = {0,1,2,3} 
W 5 = {1} 

met§{m, w) = max{0, m — w} 
mr§ = 3 

-<5 is the classical < relation 
Now, we can state our first necessary condition. 

Theorem 8 Given a maximizable metric M = (M, W, mr, met, -<), even under the central dae- 
mon, there exists no (i,c, 1) -strongly stabilizing protocol for maximum metric spanning tree con- 
struction with respect to M for any finite integer t if: 

{M is not a strongly maximizable metric 
or 
c<\M\-2 

Proof We prove this result by contradiction. We assume so that M = {M, W, mr, met, -<) is a 
maximizable metric such that there exist a finite integer t and a protocol V that is a (t, c, 1)- 
strongly stabilizing protocol for maximum metric spanning tree construction with respect to A4. 
We distinguish the following cases (note that they are exhaustive): 

Case 1: A4 is a strongly maximizing metric and c < \M\ —2. 

As c > 0, we know that \M\ > 2 and by definition of a strongly stabilizing metric, A4 is 
strictly decreasing, and M has one and only one fixed point. 

By assumption on Jvi, we know that there exist c + 3 distinct metric values mo = mr, mi, . . . , 
m c+ 2 in M and wq, w\, . . . , w c+ \ in W such that: Vz € {1, . . . , c + 2}, m 8 = met(rrii-i, u>i-i) ~< 
rrii-i- 

Let 5 = (V, E, W) be the following weighted system V = {po = r,p\, . . . ,P2c+2,P2c+3 = b}, 
E = {{pi,p i+ i},i € {0, ...,2c + 2}} andVi G {0, c + 1}, w PitPi+1 = w P2c+3 __ uP2c+2 _ t = w t . Note 
that the choice w Pc+ltPc+2 = w c+ \ ensures us the following property when level r = levels = 
mr: fj,(p c+1 ,b) -< fi(p c+1 ,r) (and by symmetry, (j,(p c+2 ,r) -< fj,(p c+2 ,b)). Process p is the 
real root and process b is a Byzantine one. Note that the construction of W ensures the 
following properties when level r = levels = mr: Vz G {1, . . . , c + 1}, (i(pi, r) = /i(p2 C +3-i, b), 
H{pi,b) -< /J,(pi,r) and fi(p 2c +3-i,r) -< fi(p2c+3-i,b). 

Assume that the initial configuration pq of S satisfies: prnt r = prntb = -L, level r = levelb = 
mr, and other variables of b (if any) are identical to those of r (see Figure [lj variables of other 
processes may be arbitrary). Assume now that b takes exactly the same actions as r (if any) 
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PO = T Pi ■■■ Pc Pc+1 Pc+2 Pc+3 ■ ■ ■ P2c+2 p 2c +3 = b 



Po 










mr ? ? ? ? ? ? mr 



(J>(pi,r) n(p c+1 ,r) p(p c+3 ,b) mr 

Pi 










mr fJ-(j>c,r) p(p c+2 ,b) p(p 2c+2 ,b) 










mr lJt(j> c ,r) p(p c+2 ,r) p(p 2c+2 ,r) 

»(pi,r) n(p c+ i,r) n(p c+3 ,r) mr 



P3 










mr n(p c ,r) p(p c+2 ,r) pfec+2, 



Figure 1: Configurations used in proof of Theorem [81 case 1. 

immediately after r. Then, by symmetry of the execution and by convergence of V to spec, we 
can deduce that the system reaches in a finite time a configuration p\ (see Figured]) in which: 
Vz G {1, . . . ,c+l},prnt Pi = level Pi = fi(pi,r) = m, and Vi G {c+2, . . . , 2c+2},prnt Pi = 
Pi + i and level Pi = p(pi,b) = rri2c+3-i (because this configuration is the only one in which 
all correct process v satisfies spec{v) when prnt r = prntb = _L and level r = levels = mr by 
construction of W). Note that p\ is c-legitimate and c-stable. 

Assume now that the Byzantine process acts as a correct process and executes correctly 
its algorithm. Then, by convergence of V in fault-free systems (remember that a strongly- 
stabilizing algorithm is a special case of self-stabilizing algorithm), we can deduce that the 
system reach in a finite time a configuration p 2 (see Figure [1]) in which: Vi G {1, ... ,2c + 
3},prnt Pi = pi-\ and level Pi = p(pi, r) (because this configuration is the only one in which all 
process v satisfies spec{v)). Note that the portion of execution between p\ and p 2 contains at 
least one c-perturbation (p c + 2 is a c-correct process and modifies at least once its O-variables) 
and that p 2 is c-legitimate and c-stable. 

Assume now that the Byzantine process b takes the following state: prntb = _L and levels = 
mr. This step brings the system into configuration p% (see Figure [I]). From this configuration, 
we can repeat the execution we constructed from pq. By the same token, we obtain an 
execution of V which contains c-legitimate and c-stable configurations (see p\) and an infinite 
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Po = r pi ... Pk-l Pk Pk+l Pk+2 ■■■ Pc Pc+l 



5*1 




P2c+3 = b P2c+2 ■ ■ ■ P2c+\-k P2c+3-k P2c+2-k P2c+l-k ■ ■ ■ Pc+3 Pc+2 



Po = r pi ... Pk-1 Pk Pk+l Pk+2 ■■■ Pc Pc+l 




P2c+3 = b P2c+2 ■ ■ ■ P2c+1-k> P2c+3-k> P2c+2-k> P2c+l-k> ■ ■ ■ Pc+3 Pc+2 



Figure 2: Configurations used in proof of Theorem El cases 2 and 3. 

number of c-perturbation which contradicts the (t,c, l)-strong stabilization of V. 

Case 2: A4 is not strictly decreasing. 

By definition, we know that M. is not a strongly maximizable metric. Hence, we have \M\ > 2. 
Then, the definition of a strictly decreasing metric implies that there exists a metric value 
m G M such that: 3w G W, met(m,w) = m and 3w' 6 W,m' = met(m,w') -< m (and thus 
m is not a fixed point of M). By the utility condition on M, we know that there exists a 
sequence of metric values tuq = mr, mi, . . . , mi = m in M and wq, w\, . . . , wi~i in W such 
that Vi S {l,...,/},mj = met(rni-i, Wi-i). Denote by k the length of the shortest such 
sequence. Note that this implies that Vz € {1, . . . , k},mi -< mj_i (otherwise we can remove 
rrii from the sequence and this is contradictory with the construction of k). We distinguish 
the following cases: 

Case 2.1: k > c + 2. 

We can use the same token as case 1 above by using w' instead of w c +\ in the case where 
k = c + 2 (since we know that met(rn, w 1 ) -< m). 

Case 2.2: fe < c + 2. 

Let Si = (V, E, W) be the following weighted system V = {po = r, p±, . . . ,P2c+2,P2c+3 = 
b}, E = {{pi,p i+ i},i G {0, ...,2c + 2}}, Vz G {0, . . . , k - 1}, w Pi>Pi+1 = w P2c+3 _ itP2c+2 _ z = 
Wi, Vt G {fc, . . . , c}, = ^p 2c+3 _ i ,p 2c+2 _ (i = w and w Pc+liPc+2 = w' (see Figure©. 

Note that this choice ensures us the following property when level r = levels = mr: 
fj,(p c+1 ,b) -< fj,(p c+ i,r) (and by symmetry, n(p c+2 ,r) -< n(p c+2 ,b)). Process p is the 
real root and process b is a Byzantine one. Note that the construction of W ensures 
the following properties when level r = levels = mr: Vz G {l,...,c+ l},//(pj,r) = 
n(p 2c +3-i,b), n{pi,b) -< [J,(pi,r) and n{p 2c +3-i, r) -< /i(p 2c +3-i, b). 
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This construction allows us to follow the same proof as in case 1 above. 



Case 3: A4 has no or more than two fixed point, and is strictly decreasing. 

If KA has no fixed point and is strictly decreasing, then \M\ is not finite and then, we can 
apply the result of case 1 above since c is a finite integer. 

If A4 has two or more fixed points and is strictly decreasing, denote by T and T' two fixed 
points of A4. Without loss of generality, assume that T -< T'. By the utility condition on 
M, we know that there exists sequences of metric values rriQ = mr,m\, . . . ,mi = T and 
m' Q = mr,nij, . . . ,m\i = T' in M and wo, w±, . . . , wi-i and w' , w[, . . . , w'p^ in W such 
that Mi € {l,...,l},rrii = mei(mj_i, u>i_i) and Mi € {1, ...,/'}, m\ = met(m^_ l5 w'i-\)- 
Denote by k and k' the length of shortest such sequences. Note that this implies that 
Mi E {1, ... , k}, nii ~< nii-i and Mi € {1, . . . , k'}, m\ -< m' i _ 1 (otherwise we can remove rrii or 
m! i from the corresponding sequence). We distinguish the following cases: 

Case 3.1: k > c + 2 or k' > c + 2. 



Case 3.2: k < c + 2 and k' < c + 2. 

Let w be an arbitrary value of W. Let S2 = (V, E, W) be the following weighted 
system V = {p = r,pi, . . . ,p 2c +2,P2c+3 = b}, E = {{pi,p i+1 },i G {0, . . . , 2c + 2}}, 
Mi € {0, k - 1}, w PuPi+1 = Wi, Vi € {0, k' - 1}, ^ P2c+3 _ i> p 2c+2 _ j = w[ and Mi € {k, 2c + 2 - 
k'},w PiiPi+1 = w (see Figure [2]). Note that this choice ensures us the following property 
when level r = level;, = mr: n(p c+ i,r) = T -< T' = fi(p c+ i,b) and fi(p c+ 2,i') = T -< 
T' = //(p c +2,6). Process po is the real root and process b is a Byzantine one. 
This construction allows us to follow a similar proof as in case 1 above (note that any 
process u which satisfies fi(u, r) -< T' will be disturb infinitely often, in particular at 
least Pc+i and p c +2 which contradicts the (t, c, l)-strong stabilization of V). 

In any case, we show that there exists a system which contradicts the (i, c, l)-strong stabilization 
of V that ends the proof. □ 

4.2 Topology Aware Strong Stabilization 

First, we generalize the set Sg previously defined for the BJ-S metric in [6] to any maximizable 
metric M. = (M, W, mr, met, -<). 



Intuitively, Sg gathers the set of corrects processes that are strictly closer (according to M.) 
to a Byzantine process than the root. Figures from [3] to [5] provide some examples of containment 
areas with respect to several maximizable metrics and compare it to Sb, the optimal containment 
area for TA strict stabilization. 

Now, we can state our generalization of Theorem [6j 

Theorem 9 Given a maximizable metric M = {M,W,mr,met,~<), even under the central dae- 
mon, there exists no (t, A* B ,1)-TA- strongly stabilizing protocol for maximum metric spanning tree 
construction with respect to Ad where A* B £ S B and t is a given finite integer. 



Without loss of generality, assume that k > c + 2 (the second case is similar) . We can 
use the same token as case 1 above. 



SI 




v E V \ B fi(v, r) -< max^{n(v, b)} 
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Sb = S B 

leveli, = 




Figure 3: Examples of containment areas for SP spanning tree construction. 



Proof Let A4 = (M,W,mr,met, -<) be a maximizable metric and V be a (t, A* B , l)-TA-strongly 
stabilizing protocol for maximum metric spanning tree construction protocol with respect to M. 
where A* B £ S* B and t is a finite integer. We must distinguish the following cases: 

Case 1: \M\ = 1. 

Denote by m the metric value such that M = {m}. For any system and for any process v, we 

have fi(v,r) = min^{(i(v,b)} = m. Consequently, S B = for any system. Then, it is absurd 
fees 

to have A* B £ S B . 
Case 2: \M\ > 2. 

By definition of a bounded metric, we can deduce that there exists m € M and w € W such 
that m = met(mr, w) -> mr, Then, we must distinguish the following cases: 

Case 2.1: m is a fixed point of A4. 

Let 5 be a system such that any edge incident to the root or a Byzantine process has a 
weight equals to w. Then, we can deduce that we have: m = max^{fj,(r, b)} ~< /i(r, r) = 



beB 



for 



mr and for any correct process t)/r, r) = max^{ii(v , 6)} = m. Hence, 5^ = 

any such system. Then, it is absurd to have A* B ^ S B . 

Case 2.2: m is not a fixed point of M. 

This implies that there exists w' € W such that: met(m, w') -< m (remember that M. 
is bounded). Consider the following system: V = {r,u,u' ,v,v' ,b}, E = {{r, u}, {r, u'}, 
{u,v},{u',v'},{v, b}, {v',b}}, w r>u = w r y = w V:b = w v > >b = w, and w u , v = w u ,y = w' 
(b is a Byzantine process). We can see that S B = {v,v'}. Since A* B ^ Sb, we have: 
v $l A* B or v' $l A* B . Consider now the following configuration po : prnt r = prnt^ = _L, 
level r = levelb = mr, and prnt, level variables of other processes are arbitrary (see 
Figure [6j other variables may have arbitrary values but other variables of b are identical 
to those of r). 



15 



mr=10 



mr=10 




leveh = 10 levelb = 10 



Figure 4: Examples of containment areas for flow spanning tree construction. 

Assume now that b takes exactly the same actions as r (if any) immediately after r 
(note that r £ A* B and hence prnt r = _L and level r = mr still hold by closure and then 
prntb = JL and levelb = mr still hold too). Then, by symmetry of the execution and 
by convergence of V to spec, we can deduce that the system reaches in a finite time 
a configuration p\ (see Figure [6]) in which: prnt r = prntb = J_, prnt u = prnt u i = r, 
prnt v = prnt v > = b, level r = levelb = mr, and level u = level u i = level v = levels = m 
(because this configuration is the only one in which all correct process v satisfies spec{v) 
when prnt r = prntb = -L an d level r = levelb = mr since met(m, w') -< m). Note that p\ 
is ^4^-legitimate for spec and A^-stable (whatever A* B is). 

Assume now that b behaves as a correct processor with respect to V . Then, by con- 
vergence of V in a fault-free system starting from p\ which is not legitimate (remember 
that a TA-strongly stabilizing algorithm is a special case of self-stabilizing algorithm), 
we can deduce that the system reach in a finite time a configuration p2 (see Figure [6]) 
in which: prnt r = _L, prnt u = prnt u i = r, prnt v = u, prnt v i = u', prntb — v ( or 
prntb = v'), level r = mr, level u = level u i = m level v = levels = met(m,w') = m', 
and levelb = met{m! , w) = m". Note that processes v and v 1 modify their O-variables 
in the portion of execution between p\ and pi and that pi is yl^-legitimate for spec and 
^4^-stable (whatever A* B is). Consequently, this portion of execution contains at least 
one A^-TA-disruption (whatever A* B is). 

Assume now that the Byzantine process b takes the following state: prntb = -L and 
levelb = mr. This step brings the system into configuration p% (see Figured]). From this 
configuration, we can repeat the execution we constructed from pq. By the same token, 
we obtain an execution of V which contains c-legitimate and c-stable configurations (see 
pi) and an infinite number of yl^-TA-disruption (whatever A* B is) which contradicts the 
(t,A* B , l)-TA-strong stabilization of V. 

□ 
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mr=l mr=l 




levelb = 1 leveli, = 1 



Figure 5: Examples of containment areas for reliability spanning tree construction. 

5 Conclusion 

In this paper, we presented two necessary conditions to achieve strong stabilization and topology- 
aware strong stabilization in maximum metric tree construction. Our work obviously leads to 
the following open question: is there a topology-aware strongly stabilizing protocol that ensures a 
containmemt area equal to 5^? We conjecture that it is the case. 
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